Question :
Service : https://texmaker.ctf.internetwache.org/
Solution :
The webpage gives you to program a latex and create a pdf .
After a bit of searching for latex hacks I found the guide
http://cseweb.ucsd.edu/~hovav/dist/texhack.pdf
Well, this has a amazing article on how to use latex for malicious purpose. I went through usual approach of using \input{"ls"} as we have no clue where is the file is and what the file extension is for the flag.
we see "BLACKLISTED commands cannot be used."
I saw few evading techniques that can be used by following the above article like
\csname \begin \@@ ^^5C \cat_code , No luck though.
Lets change the view, search for commands that can execute us the shell commands.
After a bit of digging i finally found this command was not BLACKLISTED and that is \write18
which is also called shell-escape.
http://tex.stackexchange.com/questions/16790/write18-capturing-shell-script-output-as-command-variable
It was simple after to use \write18{ls ../}
and \write18{cat ../flag.php}
FLAG : IW{L4T3x_IS_Tur1ng_c0mpl3te}
Service : https://texmaker.ctf.internetwache.org/
Solution :
The webpage gives you to program a latex and create a pdf .
After a bit of searching for latex hacks I found the guide
http://cseweb.ucsd.edu/~hovav/dist/texhack.pdf
Well, this has a amazing article on how to use latex for malicious purpose. I went through usual approach of using \input{"ls"} as we have no clue where is the file is and what the file extension is for the flag.
we see "BLACKLISTED commands cannot be used."
I saw few evading techniques that can be used by following the above article like
\csname \begin \@@ ^^5C \cat_code , No luck though.
Lets change the view, search for commands that can execute us the shell commands.
After a bit of digging i finally found this command was not BLACKLISTED and that is \write18
which is also called shell-escape.
http://tex.stackexchange.com/questions/16790/write18-capturing-shell-script-output-as-command-variable
It was simple after to use \write18{ls ../}
and \write18{cat ../flag.php}
FLAG : IW{L4T3x_IS_Tur1ng_c0mpl3te}
No comments:
Post a Comment
enter valid comments.Suggestions are most welcome and would be interested in correcting my mistakes.